# Volatility3 core commands Assuming you're given a memory sample and it's likely from a Windows host, but have minimal information. Here's how you identify basic Windows host information using volatility. ``` $ python3 vol.py -f /path/to/memory.dump windows.info ``` Sometimes volatility can output/display a lot of information, and it's not necessarily easily readable. You can use the -r (render) flag to generate output in pretty (tabulated), json, csv, and quick. More information here I typically export results as csv if I want to import it into a timeline, or filter it in Excel, etc. ``` $ python3 vol.py -r csv -f /path/to/memory.dump windows.info ``` Display process information ``` $ python3 vol.py -f /path/to/memory.dump windows.pslist ``` If you want to display the same process information but include highlighted parent/child processes (as a tree) ``` $ python3 vol.py -f /path/to/memory.dump windows.pstree ``` Dump executables and associated DLLs (you need the process ID/PID first) ``` $ python3 vol.py -f /path/to/memory.dump -o /output/directory/ windows.dumpfiles --pid 4628 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/memory-forensics-1/volatility-plugins/volatility3-core-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.